The Device Lab welcomes participants agreeing to act in good faith, in the best interest of patients, when researching, disclosing, and addressing security issues.
Prior to opening the Village, MDMs will tour the virtual RPG environment unique to BHV and leverage the provided endpoint security devices to connect. Prior to DEF CON, the BHV will deliver a threat model (co-authored by OWASP), a threat attack report (provided by Scythe), and a Software Bill of Materials (provided by Medcrypt). An After Action Report is then developed for MDMs, offering logged reports of the environment.
Security researchers must sign the Hippocratic Oath for Hackers and agree to the framework of boundaries and rules of engagement during and post conference engagement. The BHV Device Lab Credo is online, available for review prior to engagement. Once confirmed, hackers will build relationships via scavenger hunt. Devices will have an nmap scan and MDM provided manual for review.
As part of their product security programs, their proactive initiatives to test their products, and to enhance the cybersecurity of their medical technologies, select medical device makers are teaming up with the Biohacking Village.
These manufacturers are inviting security researchers to learn and to test their products in dedicated spaces set aside for them. Their staff will answer questions, educate researchers, and triage any potential security issues. Researchers who perform testing should expect to follow the manufacturers’ published coordinated vulnerability disclosure policy and report any potential issues found so they can be addressed.
We believe that the Biohacking Village can save lives through security research. To do so, security researchers and medical device makers must be mindful of that vulnerability discovery, disclosure, and remediation in public safety contexts must be handled with both due haste and due care.
We have volunteers from CERT/CC, the US DHS, MITRE, and the US FDA on hand to facilitate disclosures, and provide other resources as well. Security researchers who take the Device Lab pledge to act in the best interest of patients, and to disclose potential vulnerabilities to the manufacturer in good faith are welcome to participate in our Open Security Testing.